Key Management in Mobile and Sensor Networks

1
Key Managementin Mobile and Sensor Networks

• Class 17

2
Outline

• Challenges in key distribution, trust
  bootstrapping
• Pre-setup keys (point-to-point, public)
• Resurrected ducking
• PGP trust graph
• Trusted third party (TTP)
• Kerberos, SPINS
• PKI
• Key infection
• Random-key predistribution

3
Key Management

• Goal set up and maintain secure keys
• Public keys for signature verification or
  node-to-node key setup
• Shared keys for confidentiality or authenticity
• Group keys for secure group communication
• Challenges
• Trust establishment (Class example?)
• Node compromise
• Dynamic node addition/removal

4
Network Architectures

• Closed networks, centralized deployment (trusted
  authority controls and deploys nodes)
• All-pairs shared keys, or all public keys
• PKI, TTP (Kerberos, SPINS)
• Zhou Haas threshold key management
• Randomkey predistribution
• Open networks, autonomous deployment
• Resurrected duckling
• PGP web of trust
• Key infection

5
Full Key Deployment

• Symmetric case
• All-pairs shared keys (need O(n2) keys)
• Challenge node addition
• Asymmetric case
• Distribute every nodes public key (n keys)
• Nodes can easily set up secure shared keys

6
Trusted Key Management Center

• Symmetric case
• Trusted third party (TTP) shares key with each
  node (n keys)
• Set up key between two nodes through TTP
• Kerberos, SPINS key agreement protocol
• Asymmetric case
• Public-key infrastructure (PKI)
• Certification authority (CA) signs public keys of
  nodes
• All nodes know CAs public key

7
Zhou Haas Key Management

• PKI drawbacks
• Revocation requires on-line PKI
• Single point of failure, CA replication increases
  vulnerability to node compromise
• Distributed CA Model, tolerates t faulty nodes
• Threshold signatures
• Signing needs coalition of t1 correct nodes
• Secret sharing prevents t malicious nodes from
  reconstructing CA private key
• Proactive security
• Defend against mobile adversary

8
Discussion

• How can share refreshing tolerate faulty nodes?
• How can we tolerate compromised combiner?
• Who decides to be a combiner?
• How can we bootstrap this system?
• How can we introduce a new node?
• Why should node sign a message?
• How does node authenticate message?
• Is signature combination expensive if we have t
  faulty nodes?
• How efficient are these mechanisms?

9
Randomkey Predistribution

• Scenario deploy 104 mote sensor from airplane
• Goal set up secure node-to-node keys
• Simple approaches impractical
• Network-wide secret key
• Pairwise shared key with every other node
• Pairwise shared key with neighbors
• Public key infrastructure

10
Basic Random Key Scheme

• Eschenauer and Gligor, ACM CCS 2002
• Observation no need for all pairs of nodes to be
  able to communicate to get a connected network
• For any 2 nodes, if they can communicate with
  some probability p, then the network is a random
  graph that is connected with high probability
  (e.g. 0.999)
• p is a given parameter, dictated by communication
  range and density of deployment of the nodes

11
Basic Random Key Scheme
2128
Total Key Space
12
Key capture

• Security of the basic scheme is dependent on the
  adversary not knowing the key pool P
• Suppose adversary can compromise sensor nodes and
  read the keys off their key rings
• E.g., adversary captures node X and discovers key
  k. If node A and B were communicating using key
  k, the adversary can now eavesdrop although
  neither A or B was compromised.
• How can we improve resilience to node capture?

13
q-Composite Keys scheme

• Require any 2 nodes to share at least q keys to
  communicate
• Adversary must discover all q keys to eavesdrop
• To maintain probability of communication between
  any 2 nodes p, must reduce size of key pool
  (samples from a smaller pool are more likely to
  overlap)
• Smaller key pool ? keys are more likely to be
  reused

14
Resilience vs node capture
15
Duckling Key Establishment

• Anderson and Stajano, IWSP 99
• Problem how can we set up keys in a ubiquitous
  computing environment?
• Devices use wireless communication
• How to set up a key between household devices and
  PDA?
• Solution set up keys using trusted communication
  channel
• Physical contact establishes a secure channel

16
Duckling Security Model 1

• Assumes wireless communication
• Goals
• Availability
• Guard against jamming and battery exhaustion
• Sleep deprivation torture attack
• Secure transient association with device
• Even in absence of a trusted server
• Security assiciations keep changing, as devices
  change owners, or owner changes controller

17
Duckling Security Model 2

• Life cycle similarities
• Life cycle of a device
• Buy device in store
• Unpack it at home
• Device breaks or gets a new owner
• Life cycle of a duckling
• Duckling is in egg
• When duckling hatches, first object is viewed as
  mother imprinting
• Duckling dies
• Device ownership similar to ducks soul

18
Duckling Security Model 3

• Device life cycle
• Imprinting device meets master when it wakes up
• Reverse metempsychosis device dies and gets new
  owner
• Escrowed seppuku manufacturer can kill device to
  enable renewed imprinting
• Physical contact establishes secure key during
  imprinting phase

19
PGP Web of Trust

• Problem how can we establish shared keys in ad
  hoc network without trusted PKI?
• Approach use PGP web of trust approach
• Jean-Pierre Hubaux, Srdan Capkun and Levente
  Buttyán The Quest for Security in Mobile Ad Hoc
  Networks, MobiHoc 2001

20
Distributed storage of local certificates

• Nodes issue certificates (sign others keys), as
  in PGP
• Each node stores the certificates that it issued
  (out-bound certificates) and the certificates
  that other nodes issued for it (in-bound
  certificates)

v
u
21
Creating the subgraphs

• Each node builds up its own out-bound and
  in-bound subgraphs
• To establish secure communication, u and v merge
  their subgraphs and see if they intersect

v
u
22
Key Infection

• Ross Anderson and Adrian Perrig, 2001
• Goal Light-weight key setup among neighbors
• Assumptions
• Attacker nodes have same capability as good nodes
• Attacker nodes less dense than good nodes
• Attacker compromises small fraction of good nodes
• Basic key agreement protocol
• A ? A, KA
• B ? A A, B, KB KA
• KAB H( A B KA KB )

23
Key Infection

• Broadcast keys with maximum signal strength

M1
M4
M3
A
B
M2
24
Key Whispering Extension

• Broadcast keys with minimum signal strength to
  reach neighbor

M1
M4
M3
A
B
M2
25
Secrecy Amplification

• A B share KAB, A C share KAC, , etc.
• Strengthen secrecy of KAB
• A ? C B, A, NA KAC
• C ? B B, A, NA KCB
• B ? D A, B, NB KBD
• D ? E A, B, NB KDE
• E ? A A, B, NB KAE
• KAB H( KAB NA NB )

C
B
A
E
D
26
Key Infection Summary

• Highly efficient
• Detailed analysis in progress
• Preliminary simulation results
• Nodes uniformly distributed over a plane
• D (density) average of nodes within radio
  range
• of attacker nodes 1 of good nodes
• Table shows fraction of compromised links

D Basic Whisper SA SA-W
2 1.1 0.4 1.0 0.3
3 1.8 0.6 1.4 0.5
5 2.9 1.0 2.4 0.8
27
Discussion

• Tradeoff
• Trust perimeter and security?
• Security and management?